April 07, 2015

A New Day, A New Security Breach: Taking Your Producer's Security Information Seriously

By: Tim Owen

With two major consumer information security breaches in the health industry in recent news, now is the time to also talk about being proactive about protecting the personal information of producers.

The Consequences of Being Reactive

Recent reports on the security breaches have many producers in the industry concerned for the security of their personal identification information. Breaches in this industry can give criminals access to social security numbers (SSN), addresses, birthdays, medical, and bank information. Consequentially, compromised information leaves producers, not just insurance consumers, vulnerable to identity theft and related fraud.

Repercussions of a breach can greatly affect not only your customers and producers, but your credibility in this competitive industry; security needs to be taken more seriously.

Sharing Information Securely

So far, there hasn't been a major breach related to producer information, but it will happen eventually unless the industry comes together to do something now to reduce the use and proliferation of personal information, especially social security numbers. The industry is increasingly aware of these risks and consequences, but the changes needed to proactively address these risks and secure producer information has been slow to materialize.

To start, we acknowledge that sharing social security numbers are necessary for the following:
1.  Tax purposes
2.  Background investigations
3.  Resident license applications

In these specific cases that information needs to be collected and shared, we have to improve our approach to securely storing and sharing this sensitive information, as well as reducing or even eliminating use of this information in producer licensing, appointing, and other administrative processes.

Identification Alternatives

Beyond those listed transactions where social security numbers are required, we should try to eliminate the use of social security numbers. Does an appointment request to a state really require a social security number?

With the advent of the National Producer Number (NPN) in insurance, and the Central Registration Depository (CRD) in securities, the need for social security numbers for appointments and establishing selling relationships with carriers has been reduced.

Ideally, for insurance regulatory purposes outside of an initial license application, social security numbers aren't required. For non-resident license applications, resident and non-resident renewals, producer to agency affiliations, CE course completions, and appointments, the NPN and CRD number is sufficient to identify someone uniquely for business purposes. Unfortunately, companies continue to require social security number for these transactions, increasing the risk of breach along the way.

The Future of Information Security

How do we as an industry work together to reduce the proliferation of transmitting and storing social security numbers, date of birth, etc.? Are there better solutions and alternatives?

For example, could we find a way to store personal information in highly-secure industry repository (the National Producer Database – PDB, and CRD for securities, for instance) and allow trusted access to that information when legitimately required for business purposes?

At Vertafore we're working with our state insurance regulators, carriers, securities firms, and agencies, as well as the NIPR, the NAIC, and FINRA to reduce the use, storage, and tracking of social security numbers. Progress in security practices must be made now to protect the personal information of your producers.

Did you like this post?